Reply to thread

Message

<blockquote data-quote="Andy Ful" data-source="post: 957071" data-attributes="member: 32260">Post edited.It is worth remembering that whitelisting EXE and MSI files in user AppData and ProgramData folders can be done safely in H_C settings (in the home environment), but not when using a similar setup via Applocker or Defender Application Control (WDAC/MDAC). Both Applocker and Application Control cannot block shortcuts and many unsafe file extensions (like CHM, HTA, etc.), so one has to block many LOLBins (Sponsors) instead. WDAC/MDAC cannot also block BAT and CMD extensions (Applocker can do it). This can be very inconvenient because blocking unsafe files by LOLBins does not allow whitelisting.For example, when using SRP, one usually blocks by default BAT and CMD scripts and can whitelist some of them in selected locations. The user can still run cmd.exe and use CMD commands from the CMD console. Also, the hacker could use this, but this would require using remote features (blocked by H_C), or CmdLine access (blocked by H_C), or sophisticated exploit (no scripting, hardly possible in the home environment on Windows 10).When blocking LOLBins via WDAC/MDAC the scripting LOLBin cmd.exe must be blocked for BAT or CMD scripts, and then all BAT and CMD scripts will be blocked (cannot be selectively whitelisted). Furthermore, the CMD console will be blocked too. Such strict restrictions follow from the fact that in an Enterprise environment the remote features are enabled and one has to assume that some parts of the local network can be possibly compromised by hackers. Generally, the Enterprise environment has far more attack vectors so it requires different protection layers compared to the home environment.</blockquote>

[QUOTE="Andy Ful, post: 957071, member: 32260"] Post edited. It is worth remembering that whitelisting EXE and MSI files in user AppData and ProgramData folders can be done safely in H_C settings (in the home environment), but not when using a similar setup via Applocker or Defender Application Control (WDAC/MDAC). Both Applocker and Application Control cannot block shortcuts and many unsafe file extensions (like CHM, HTA, etc.), so one has to block many LOLBins (Sponsors) instead. WDAC/MDAC cannot also block BAT and CMD extensions (Applocker can do it). This can be very inconvenient because blocking unsafe files by LOLBins does not allow whitelisting. For example, when using SRP, one usually blocks by default BAT and CMD scripts and can whitelist some of them in selected locations. The user can still run cmd.exe and use CMD commands from the CMD console. Also, the hacker could use this, but this would require using remote features (blocked by H_C), or CmdLine access (blocked by H_C), or sophisticated exploit (no scripting, hardly possible in the home environment on Windows 10). When blocking LOLBins via WDAC/MDAC the scripting LOLBin cmd.exe must be blocked for BAT or CMD scripts, and then all BAT and CMD scripts will be blocked (cannot be selectively whitelisted). Furthermore, the CMD console will be blocked too. Such strict restrictions follow from the fact that in an Enterprise environment the remote features are enabled and one has to assume that some parts of the local network can be possibly compromised by hackers. Generally, the Enterprise environment has far more attack vectors so it requires different protection layers compared to the home environment. [/QUOTE]

Verification